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Abstract. Abstract machines for the strong evaluation of A-terms (that 
is, under abstractions) are a mostly neglected topic, despite their use in 
the implementation of proof assistants and higher-order logic program¬ 
ming languages. This paper introduces a machine for the simplest form of 
strong evaluation, leftmost-outermost (call-by-name) evaluation to nor¬ 
mal form, proving it correct, complete, and bounding its overhead. Such 
a machine, deemed Strong Milner Abstract Machine, is a variant of the 
KAM computing normal forms and using just one global environment. Its 
properties are studied via a special form of decoding, called a distillation, 
into the Linear Substitution Calculus, neatly reformulating the machine 
as a standard micro-step strategy for explicit substitutions, namely linear 
leftmost-outermost reduction, i.e. the extension to normal form of linear 
head reduction. Additionally, the overhead of the machine is shown to 
be linear both in the number of steps and in the size of the initial term, 
validating its design. The study highlights two distinguished features of 
strong machines, namely backtracking phases and their interactions with 
abstractions and environments. 


1 Introduction 

The computational model behind functional programming is the weak Ucalculus, 
where weakness is the fact that evaluation stops as soon as an abstraction is 
obtained. Evaluation is usually defined in a small-step way, specifying a strategy 
for the selection of weak ,5-redexes. Both the advantage and the drawback of 
Ucalculus is the lack of a machine in the definition of the model. Unsurprisingly 
implementations of functional languages have been explored for decades. 

Implementation schemes are called abstract machines, and usually account 
for two tasks. First, they switch from small-step to micro-step evaluation, delay¬ 
ing the costly meta-level substitution used in small-step operational semantics 
and replacing it with substitutions of one occurrence at a time, when required. 
Second, they also search the next redex to reduce, walking through the program 
according to some evaluation strategy. Abstract machines are machines because 
they are deterministic and the complexity of their steps can easily be measured. 
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and are abstract because they omit many details of a real implementation, like 
the actual representation of terms and data-structures or the garbage collector. 

Historically, the theory of Z-calculus and the implementation of functional lan¬ 
guages have followed orthogonal approaches. The former rather dealt with strong 
evaluation, and it is only since the seminal work of Abramsky and Ong [I] that 
the theory took weak evaluation seriously. Dually, practical studies mostly ig¬ 
nored strong evaluation, with the notable exception of Cregut [12113) (1990) and, 
more recently, the semi-strong approach of Gregoire and Leroy [22] (2002)—see 
also the related work paragraph below. Strong evaluation is nonetheless essen¬ 
tial in the implementation of proof assistants or higher-order logic programming, 
typically for type-checking in frameworks with dependent types as the Edinburgh 
Logical Framework or the Calculus of Constructions, as well as for unification 
modulo /3?7 in simply typed frameworks like Lprolog. 

The aim of this paper is to move the first steps towards a systematic and 
theoretical exploration of the implementation of strong evaluation. Here we deal 
with the simplest possible case, call-by-name evaluation to strong normal form, 
implemented by a variant of the Krivine Abstract Machine. The study is carried 
out according to the distillation methodology^ a new approach recently introduced 
by the authors and previously applied only to weak evaluation |3]. 

Distilling Abstract Machines. Many abstract machines can be rephrased as 
strategies in I-calculi with explicit substitutions (ES for short), see at least [14I23I13I9I24I8] . 
The Linear Substitution Calculus (LSC)—a variation over a /-calculus with ES 
by Robin Milner [26] developed by Accattoli and Kesner [214] — provides more 
than a simple reformulation: it disentangles the two tasks carried out by ab¬ 
stract machines, retaining the micro-step operational semantics and omitting 
the search for the next redex. Such a neat disentangling, that we prefer to call a 
distillation, is a decoding based on the following key points: 

1. Partitioning: the machine transitions are split in two classes. Prineipal tran¬ 
sitions are mapped to the rewriting rules of the calculus, while commutative 
transitions —responsible for the search for the redex—are mapped on a no¬ 
tion of structural equivalence, specific to the LSC. 

2. Rewriting: structural equivalence accounts both for the search for the re¬ 
dex and garbage collection, and commutes with evaluation. It can thus be 
postponed, isolating the micro-step strategy in the rewriting of the LSC. 

3. Logic: the LSC itself has only two rules, corresponding to cut-elimination in 
linear logic proof nets. A distillation then provides a logical reading of an 
abstract machine (see [3] for more details). 

4. Complexity: by design, a principal transition has to take linear time in the 
input, while a commutative transition has to be constant. 

A distillery is then given by a machine, a strategy, a structural equivalence, 
and a decoding function satisfying the above points. In bilinear distilleries, the 
number of commutative transitions is linear in both the number of principal 
transitions and the .size of the initial term. Bilinearity guarantees that distilling 
away the commutative part by switching to the LSC preserves the asymptotical 
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behavior, i.e. it does not forget too much. At the same time, the bound on the 
commutative overhead justifies the design of the abstract machine, providing a 
provably bounded implementation scheme. 

A Strong Distillery. Our machine is a strong version of the Milner Abstract 
Machine (MAM), a variant with just one global environment of the Krivine 
Abstract Machine (KAM), introduced in [3]. 

The first result of the paper is the design of a distillery relating the Strong 
MAM to linear leftmost-outermost reduction in the LSC [415] — that is at the 
same time a refinement of leftmost-outermost (LO) /3-reduction and an extension 
of linear head reduction |2biibii>| to normal form—together with the proof of 
correctness and completeness of the implementation m- Moreover, the linear 
LO strategy is standard and normalizing [3] , and thus we provide an instance of 
Plotkin’s approach of mapping abstract machines to such strategies [4] . 

The second result is the complexity analysis showing that the distillery is 
bilinear, i.e. that the cost of the additional search for the next redex specific 
to the machine is negligible. The analysis is simple, and yet subtle and robust. 
It is subtle because it requires a global analysis of executions, and it is robust 
because the overhead is bilinear for any evaluation sequence, not necessarily to 
normal form, and even for diverging ones. 

For the design of the Strong MAM we make various choices: 

1. Global Environment: we employ a global environment, which is in opposi¬ 
tion to having closures (pairing subterms with local environments), and it 
models a store-based implementation scheme. The choice is motivated by fu¬ 
ture extensions to more efficient strategies as call-by-need, where the global 
environment allows to integrate sharing with a form of memoization HZE]. 

2. Sequential Exploration and Backtracking: we fix a sequential exploration of 
the term (according to the leftmost-outermost order), in opposition to the 
parallel evaluation of the arguments (once a head normal form has been 
reached). This choice internalizes the handling of the recursive iterations, 
that would be otherwise left to the meta-level, providing a finer study of the 
data-structures needed by a strong machine. On the other hand, it forces 
to have backtracking transitions, activated when the current subterm has 
been checked to be normal and evaluation needs to retrieve the next sub¬ 
term on the stack. Call-by-value machines usually have a similar but simpler 
backtracking mechanism, realized via an additional component, the dump. 

3. (Almost) No Garbage Gollection: we focus on time complexity, and thus 
ignore space issues, that is, our machine does not account for garbage collec¬ 
tion. In particular, we keep the global environment completely unstructured, 
similarly to the (weak) MAM. Strong evaluation however is subtler, as to 
establish a precise relationship between the machine and the calculus with 
ES, garbage collection cannot be completely ignored. Our approach is to iso¬ 
late it within the meta-level: we use a system of parenthesized markers, to 
delimit subenvironments created under abstractions that could be garbage 
collected once the machine backtracks outside those abstraction. These la¬ 
bels are not inspected by the transitions, and play a role only for the proof of 
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the distillation theorem. Garbage collection then is somewhat accounted for 
by the analysis, but there are no dedicated transitions nor rewriting rules, 
it is rather encapsulated in the decoding and in the structural equivalence. 


Efficiency? It is known that LO evaluation is not efficient. Improvements are 
possible along three axis: refining the strategy (by turning to strong call-by¬ 
value/need, partially done in |22I13I7) 1. speeding up the substitution process 
(by forbidding the substitution of variables, see [617] 1. and avoiding useless sub¬ 
stitutions (by adding useful sharing, see 1517) 1. These improvements however 
require sophisticated machines, left to future work. 

LO evaluation is nonetheless a good first case study, as it allows to isolate the 
analysis of backtracking phases and their subtle interactions with abstractions 
and environments. We expect that the mentioned optimizations can be added 
in a quite modular way, as they have all been addressed in the complementary 
study in [7], based on the same technology {i.e. LSC and distilleries). 

(Scarce) Related Work. Beyond Cregut’s |I2II3] . we are aware of only two other 
similar works on strong abstract machines, Garcfa-Perez, Nogueira and Moreno- 
Navarro’s [21] (2013), and Smith’s [29] (unpublished, 2014). Two further studies, 
de Carvalho’s m and Ehrhard and Regnier’s [1^, introduce strong versions of 
the KAM but for theoretical purposes; in particular, their design choices are 
not tuned towards implementations {e.g. rely on a naive parallel exploration 
of the term). Semi-strong machines for call-by-value {i.e. dealing with weak 
evaluation but on open terms) are studied by Gregoire and Leroy [l^ and in a 
recent work by Accattoli and Sacerdoti Coen H (see [7] for a comparison with 
[22]). More recent work by Denes [TS] and Boutiller uni appeared in the context 
of term evaluation in Coq. These works, which do offer the nice perspective of 
concretely dealing with proof assistants, are focused on quite specific Coq-related 
tasks (such as term simplification) and the difference in reduction strategy and 
underlying motivations makes a comparison difficult. 

Of all the above, the closest to ours is Cregut’s work, because it defines an 
implementation-oriented strong KAM, thus also addressing leftmost-outermost 
reduction. His machine uses local environments, sequential exploration and back¬ 
tracking, scope markers akin to ours, and a calculus with ES to establish the 
correctness of the implementation. His calculus, however, has no less than 13 
rewriting rules, while ours just 2, and so our approach is simpler by an order 
of magnitude. Moreover, we want to stress that our contribution does not lie in 
the machine per se, or the chosen reduction strategy (as long as it is strong), 
but in the combined presence of a robust and simple abstraction of the ma¬ 
chine, provided by the LSC, and the complexity analysis showing that such an 
abstraction does not miss too much. In this respect, none of the above works 
comes with an analysis of the overhead of the machine nor with the logical and 
rewriting perspective we provide. In fact, our approach offers general guidelines 
for the design of (strong) abstract machines. The choice of leftmost-outermost 
reduction showcases the idea while keeping technicalities to a minimum, but it is 
by no means a limitation. The development of strong distilleries for call-by-value 
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or lazy strategies, which may be more attractive from a programming languages 
perspective, are certainly possible and will be the object of future work (again, 
an intermediary step has already been taken in 0). 

Global environments are explored by Fernandez and Siafakas in ED], and used 
in a minority of works, e.g. [2MT7] . We introduced the distillation technique in 
[3] to revisit the relationship between the KAM and weak linear head reduction 
pointed out by Danos and Regnier [15] . Distilleries have also been used in [7] . The 
idea to distinguish between operational content and search for the redex in an 
abstract machine is not new, as it underlies in particular the refocusing semantics 
of Danvy and Nielsen [16]. The LSC, with its roots in linear logic proof nets, 
allows to see this distinction as an avatar of the principal/commutative divide 
in cut-elimination, because machine transitions may be seen as cut-elimination 
steps [813] ■ Hence, it is fair to say that distilleries bring an original refinement 
where logic, rewriting, and complexity enlighten the picture, leading to formal 
bounds on machine overheads. 

Omitted proofs may be found in the appendices. 


2 Linear Leftmost-Outermost Reduction 

The language of the linear substitution calculus (LSC for short) is given by the 
following term grammar: 

LSC Terms t,u,w,r ::= x \ lx.t \ tu \ t[x^u\. 

The constructor t[x-^u\ is called an explicit substitution, shortened ES (of u for x 
in t). Both lx.t and t[x^u] bind x in t, and we silently work modulo a-equivalence 
of these bound variables, e.g. {xy)[y<-t]{x<-y} = {yz)[z<^t]. 

The operational semantics of the LSC is parametric in a notion of (one-hole) 
context. General contexts, that simply extend the contexts for Z-terms with the 
two cases for ES, and the special case of substitution contexts are defined by: 

Contexts C,C' ::= (•) | lx.C \Ct\tC \ C'[x<-f] | t[x<-C']; 
Substitution Contexts L,L' ::= (•) | L[x<-t]. 

We write C ^pt\i there is a term u s.t. C{u) = t, call it the prefix relation. 

The rewriting relation is —>■:=— U —where —and —>e are the multiplica¬ 
tive and exponential rules, defined by 

Rule at Top Level Contextual closure 

Multiplicative L{lx.t)u L{t[x<-u]) C{t) — C{u) if 1u 

Exponential C'(x)[x<-n] i-)-e C'(u)[x<-m] C{t) —5>e C{u) if t i-A-e u 

The rewriting rules are assumed to use on-the-fiy a-equivalence to avoid vari¬ 
able capture. For instance, {Xx.t)[y^u]y — t{y-^z}[x<^y][z-^u] for z ^ fv(t), 
and {Xy.{xy))[x<^y] {Xz.{yz))[x-^y]. Moreover, in the context C is as¬ 

sumed to not capture x, in order to have (lx.x)[x<^y\ -/^e {lx.y)[x^y]. 
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The above operational semantics ignores garbage collection. In the LSC, this 
may be realized by an additional rule which may always be postponed, see [2]. 

Taking the external context into account, an exponential step has the form 
C{C{x)[x^u\) —5>e C"(C'(u)[x<-u]). We shall often use a compact form: 

Exponential Rule in Compact Form 
C" {x) C" {u) if C" = C {C[x^u]) 

Definition 1 (Redex Position). Given a -^^-step C{t) — C{u) with t u 
or a compact -^e-stcp C{x) —?>e C{t), the position of the redex is the context C. 

We identify a redex with its position, thus using C,C',C" for redexes, and 
use d : t —u for derivations, i.e. for possibly empty sequences of rewriting 
steps. We write |t|[.] for the number of substitutions in t, and use |d|, |d|ni, and 
|(i|e for the number of steps, m-steps, and e-steps in d, respectively. 

Linear Leftmost-Outermost Reduction, Two Definitions. We give two definitions 
of linear LO reduction —^-lo, a traditional one based on ordering redexes and a 
new contextual one not mentioning the order, apt to work with LSC and relate 
it to abstract machines. We start by defining the LO order on contexts. 

Definition 2 (LO Order). The outside-in order C <0 C is defined by 

1. Root.- (•) ~<o C for every context C ^ {■); 

2. Contextual closure; if C -<o C then C"{C) -<o C" {C) for any context C". 

Note that -<o can be seen as the prefix relation -<p on contexts. The left-to-right 
order C C is defined by 

1. Application; if C -<pt and C -<p u then Cu -<l tC; 

2. Substitution; if C -<p t and C -<p u then -<l t[x-^C']; 

3. Contextual closure; if C -<l C then C"{C) -<l C"{C') for any context C". 

Last, the left-to-right outside-in order is defined by C -<lo C if C <0 C or 
C c. 

Two examples of the outside-in order are {lx.{-))t -<o {lx.{{-)[y<-u]))t and 
-<o t[x-i-uC], and an example of the left-to-right order is t[x^C]u 
t[x^w]{-). The next immediate lemma guarantees that we defined a total order. 


Lemma 1 (Totality of -<lo)- If C -<p t and C -<p t then either C <lo C' or 
C <LoC orC = C'. 

Remember that we identify redexes with their position context and write 
C -<LO C■ We can now define linear LO reduction, first considered in [3], where 
it is proved that it is standard and normalizing, and then in [5], extending linear 
head reduction |25I1 512] to normal form. 
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Definition 3 (Linear LO Reduction ^-lo)- Lett be a term. C is the leftmost- 
outermost (LO for short) redex oft if C -<lo C' for every other redex C of t. 
We write t —^-lo u if a step reduces the LO redex. 

We now define LO contexts and prove that the position of a linear LO step 
is always a LO context. We need two notions. 

Definition 4 (Neutral Term). A term is neutral if it is -^-normal and it is 
not of the form L{Xx.t). 

Neutral terms are such that their plugging in a context cannot create a 
multiplicative redex. We also need the notion of left free variable of a context, 
i. e. of a variable occurring free at the left of the hole. 

Definition 5 (Left Free Variables). The set Ifv(C) of left free variables of 
C is defined by: 

lfv((-)) := 0 Ifv(tC') := fv(t) U Ifv(C') 

lfv(/a;.C') := Ifv(C') \ {x} lfv(C'[a;<-t]) := Ifv(C') \ {x} 

Ifv(C't) := Ifv(C') lfv(t[x<-C']) := (fv(t) \ {x}) U Ifv(C') 

Definition 6 (LO Contexts). A context C is LO if 

1. Right Application; whenever C = C(fC") then t is neutral, and 

2. Left Application; whenever C = C'{C"t) then C" ^ L{Xx.C"'). 

3. Substitution; whenever C = C{C"[x^u]) then x ^ lfv(C'"). 

Lemma 2 (LO Reduction and LO Contexts). Let t ^ u by reducing a 
redex C. Then C is a —s-lo step iff C is LO. 


Structural Equivalence. A peculiar trait of the LSC is that the rewriting rules 
do not propagate ES. Therefore, evaluation is usually stable by structural equiv¬ 
alences moving ES around. In this paper we use the following equivalence, in¬ 
cluding garbage collection (=gc), that we prove to be a strong bisimulation. 

Definition 7 (Structural equivalence). The structural equivalence = is the 
symmetric, reflexive, transitive, and contextual closure of the following axioms: 


{lx.t)[y-<^u] =\ lx.t[y^u] 
{tu)[x-^w] =@i t[x^w]u 
{tu)[x-^w] =@r tu[x-^w\ 
t[x^u][y^w\ =com t[y^w\[x^u] 
t[x-^u][y^w] =[.] t[x^u[y^w\\ 

t[x<-u] =gc t 

t[x->^u] =dup 


if X ^ fv{u) 
if X ^ fv(u) 
if X ^ tv{t) 

if y ^ fv(u) and x ^ fv(ri;) 
ify^ fv(t) 
if X ^ fv{t) 


In =dup; i[y]a, denotes a term obtained from t by renaming some (possibly none) 
occurrences of x as y, with y a fresh variable. 


Proposition 1 (Structural Equivalence = is a Strong Bisimulation). If 

t = u —7-Lo w then exists r s.t. t —>lo r = w and the steps are either both 
multiplicative or both exponential. 





3 Distilleries 


An abstract machine M is meant to implement a strategy —o via a distillation, i.e. 
a decoding function A machine has a state s, given by a code t, i.e. a Z-term 
t without ES and not considered up to a-equivalence, and some data-structures 
like stacks, dumps, environments, and heaps. The data-structures are used to 
implement the search for the next —o-redex and some form of substitution, and 
they decode to evaluation contexts for —o. Every state s decodes to a term s, 
having the shape Cs(t), where t is the code currently under evaluation and Cs 
is the evaluation context given by the data-structures. 

A machine computes using transitions, whose union is denoted by of two 
types. The principal one, denoted by -^p, corresponds to the firing of a rule 
defining —o, up to structural equivalence =. The commutative transitions, de¬ 
noted by only rearrange the data structures, and on the calculus are either 
invisible or mapped to =. The terminology reflects a proof-theoretic view, as 
machine transitions can be seen as cut-elimination steps m- The transforma¬ 
tion of evaluation contexts is formalized in the ESC as a structural equivalence 


=, which is required to commute with evaluation —o, i.e. to satisfy 

t -or t -or 

= =>3(7 s.t. = = 

u u - o q 


for each of the rules of —o, preserving the kind of rule. In fact, this means that 
= is a strong bisimulation {i.e. one step to one step) with respect to —o, that is 
what we proved in Proposition[I]for the equivalence at work in this paper. Strong 
bisimulations formalize transformations which are transparent with respect to 
the behavior, even at the level of complexity, because they can be delayed without 
affecting the length of evaluation: 

Lemma 3 (Postponement of =). If = is a strong bisimulation, t (— o U =)* u 
implies t —o*= u and the number and kind of steps of —o in the two reduction 
sequences is exactly the same. 

We can finally introduce distilleries, i.e. systems where a strategy —o simu¬ 
lates a machine M up to structural equivalence = via the decoding j_. 

Definition 8. A distillery D = (M,—o, is given by: 

1. An abstract machine M, given by 

(a) a deterministic labeled transition system (Its) over states s, with labels 
in {m, e, c}; the transitions labelled by m, e are called principal, the others 
commutative; 

(b) a distinguished class of states deemed initial, in bisection with closed 
I-terms; from these, the reachable states are obtained by applying 

2. a deterministic strategy —o, i.e., a deterministic Its over the terms of the 
LSC induced by some strategy on its reduction rules, with labels in {m, e}. 
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3. a structural equivalence = on terms which is a strong bisimulation with 
respect to —o; 

4- a decoding function from states to terms whose graph, when restricted to 
reachable states, is a weak simulation up to = (the commutative transitions 
are considered as r actions). More explicitly, for all reachable states: 

— projection of principal transitions; s s' implies s ^p= §(_ for all 

P e {m, e}; 

— distillation of commutative transitions; s s' implies s = sf. 

The simulation property is a minimum requirement, but a stronger form of 
relationship is usnally desirable. Additional hypotheses are required in order to 
obtain the converse simulation and provide complexity bounds. 

Terminology: an execution p is a sequence of transitions from an initial state. 
With IpI, IpIp and \p\c we denote respectively the length, the number of principal 
and commutative transitions of p, whereas |t| denotes the size of a term t. 

Definition 9 (Distillation Qualities). A distillery is 

— Reflective when on reachable states: 

• Termination; terminates; 

• Progress; if s is final then s is a —o-normal form. 

— Bilinear when, given an execution p from an initial term t: 

• Execution Length; the number of commutative steps \p\c is linear in both 
|t| and \p\p, i.e. \p\c < c- (1 + \p\p) • |t| for some non-zero constant c (when 
\p\p = 0, 0(|t|) time is still needed to recognize that t is normal). 

• Commutative; each commutative transition is implementable in 0(1) 
time on a RAM; 

• Principal; each principal transition is implementable in 0(|t|) time on a 
RAM. 

A reflective distillery is enough to obtain a weak bisimnlation between the 
strategy —o and the machine M, up to structural equivalence = (again, the weak¬ 
ness is with respect to commutative transitions). With |p|m and |p|e we denote 
respectively the number of multiplicative and exponential transitions of p. 

Theorem 1 (Correctness and Completeness). Let D be a reflective dis¬ 
tillery and s an initial state. 

1. Simulation up to =; for every execution p : s s' there is a derivation 
d : s ^*= s(_ s.t. |p|m = |d|m and |p|e = |d|e. 

2. Reverse Simulation up to =; for every derivation d : s t there is an 
execution p : s s' s.t. t = sf_ and |p|m = |c?|m and |p|e = |(i|e- 

Bilinearity, instead, is crucial for the low-level theorem. 

Theorem 2 (Low-Level Implementation Theorem). Let ^ be a strategy 
on terms with ES s.t. there exists a bilinear reflective distillery D = (M, ^,= 
,^). Then a derivation d : t —o* u is implementable on RAM machines in 
0((1-|- |(i|) ■ |t|) steps, i.e. bilinear in the size |t| of the initial term and the length 
|fi| of the derivation. 
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Proof. Given d : t —o" u by Theorem I1I2I there is an execution p : s s' 
s.t. u = sf and \p\p = |d|. The cost of implementing p is the sum of the costs 
of implementing the commutative and the principal transitions. By bilinearity, 
\p\c = 0((1 + \p\p) • |t|) and so all the commutative transitions in p require 
0((1 + IpIp) • |t|) steps, because a single one takes a constant number of steps. 
Again by bilinearity, each principal one takes 0(|t|), and so all the principal 
transitions together require 0[\p\p ■ |t|) steps. □ 


4 Strengthening the MAM 


The machine we are about to introduce implements leftmost-outermost reduction 
and may therefore be seen as a strong version of the Krivine abstract machine 
(KAM). However, it differs from the KAM in the fundamental point of using 
global, as opposed to local, environments. It is therefore more appropriate to 
say that it is a strong version of the machine we introduced in [3], which we 
called MAM (Milner abstract machine). Let us briefly recall its definition: 


Code 

Stack 

Env Code 

Stack 

tu 

TT 

E t 

U : TT 

lx.t 

U : TT 

E t 

TT 

X 

TT 

E r 

TT 


Env 

E 

: E 
E 


if E{x) = t 


Note that the stack and the environment of the MAM contain codes, not closures 
as in the KAM. A global environment indeed circumvents the complex mutually 
recursive notions of local environment and closure, at the price of the explicit a- 
renaming t which is applied on the fly in ~^e. The price however is negligible, at 
least theoretically, as the asymptotic complexity of the machine is not affected, 
see [3] (the same can be said of variable names vs de Bruijn indexes/levels). 

We know that the MAM performs weak head reduction, whose reduction 
contexts are (informally) of the form {■)tv. This justifies the presence of the stack. 
It is immediate to extend the MAM so that it performs full head reduction, i.e., 
so that the head redex is reduced even if it is under an abstraction. Since head 
contexts are of the form (with A a list of abstractions), we simply add a 

stack of abstractions A and augment the machine with the following transition: 


Abs 

Code 

Stack 

Env 


Abs 

Code 

Stack 

A 

lx.t 

e 

E 

C2 

X : A 

t 

e 


The other transitions do not touch the A stack. 

LO reduction is nothing but iterated head reduction. LO reduction con¬ 
texts, which we formally introduced in Definition [6l when restricted to the pure 
Lcalculus (without ES) are of the form A.rCir, where: A and tt are as above; r, 
if present, is a neutral term; and C is either (•) or, inductively, a LO context. 
Then LO contexts may be represented by stacks of triples of the form (A, r, tt), 
where r is a neutral term. These stacks of triples will be called dumps. 

The states of the machine for full LO reduction are as above but augmented 
with a dump and a phase (p, indicating whether we are executing head reduction 
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(T) or whether we are backtracking to find the starting point of the next iteration 
(a). To the above transitions (which do not touch the dump and are always in 
the T phase), we add the following: 


Abs 

Code 

Stack 

Env 

Dump 

Ph 


Abs 

Code 

Stack 

Env 

Dump 

A 

X 

TT 

E 

D 

▼ 


A 

X 

TT 

E 

D 

if E{x) = 

X : A 

t 

e 

E 

D 

A 


A 

lx.t 

e 

E 

D 

e 

u 

e 

E 

{A,t, tt ) : D 

A 


A 

tu 

TT 

E 

D 

A 

t 

u : TT 

E 

D 

A 


e 

u 

e 

E 

{A, t,iT) : D 


where E(x) = _L means that the variable x is undefined in the environment E. 

In the machine we actually use we join the dump and the A stack into the 
frame F, to reduce the number of machine components (the analysis will however 
somewhat reintroduce the distinction). In the sequel, the reader should bear in 
mind that a state of the Strong MAM introduced below corresponds to a state 
of the machine just discussed according to the following correspondence 0 


Discussed Machine: 


Strong MAM: 


Abs 

Code 

Stack 

Env 

Dump 

^0 

t 

TT 

E 

(yll,il,7ri) . ••• . (vln, tfi ■) TVn'j 




Frame 


Code 

Stack 

Env 

-^0 • ^l) • -^1 • ' ' ■ ■ (tni TTtt,) 

: An 

t 

TT 

E 


5 The Strong Milner Abstract Machine 

The components and the transitions of the Strong MAM are given by the first 
two boxes in Fig. [T] As above, we use t, It,... to denote codes, te., terms not 
containing ES and well-named, by which mean that distinct binders bind distinct 
variables and that the sets of free and bound variables are disjoint (codes are not 
considered up to a-equivalence). The Strong MAM has two phases: evaluation 
(t) and backtracking (a). 

Initial states. The initial states of the Strong MAM are of the form e | t | e | e | T, 
where t is a closed code called the initial term. In the sequel, we abusively say 
that a state is reachable from a term meaning that it is reachable from the 
corresponding initial state. 

Scope Markers. The two transitions to evaluate and backtrack on abstractions, 
~^yc 2 and '^ac 4 5 add markers to delimit subenvironments associated to scopes. 
The marker Tx is introduced when the machine starts evaluating under an ab¬ 
straction Ax, while Ax marks the end of such a subenvironment. Note that the 
markers are not inspected by the machine. They are in fact needed only for the 
analysis, as they structure the frame and the environment of a reachable state 
into weak and trunk parts, allowing a simple decoding towards terms with ES. 

Modulo the presence of markers of the form Ax and Tx in the environment, which 
are needed for bookkeeping purposes and were omitted here. 
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r 

Frames 

Environments 

___ 

A::=£| 

A::=6| 

(t, tt) : A 1 X : A 

[x<-t] : A 1 Tx : A | Ax : A 

Stacks TT ::= e | t : tt ^ 
Phases (p ::= T | A ^ 



z' Frame 

Code 

Stack 

Env 

Ph 


Frame 

Code 

Stack 

Env 


A 

tu 

TT 

A 

T 

-^Tci 

A 

t 

U : TT 

A 

▼ \ 

A 

lx.t 

U : TT 

A 

T 


A 

t 

TT 

[x<-jl] : A 

▼ 

A 

Ixl 

£ 

A 

T 

^▼C2 

X : A 

t 

£ 

Tx : A 

▼ 

A 

X 

TT 

A 

T 


A 

r 

TT 

A 

if A(x' 

▼ 

= t 

A 

X 

TT 

A 

T 


A 

X 

TT 

A 

if A(x) 

A 

= ▼ 

X : A 

t 

e 

A 

A 

'^Ac4 

A 

lx.t 

£ 

Ax : A 

A 

(f, tt) : A 

u 

£ 

A 

A 


A 

tu 

TT 

A 

A 

V - 

t 

U : TT 

A 

A 


(t, tt) : A 

u 

£ 

A 



f' Frames (Ordinary, Weak, Trunk) 

Environments (Well-Formed, Weak, Trunk) A 

A ::= Aw 1 At 1 Aw : At 

E ::= E-w \ Et \ E-w • Et 

Aw ::= e (t, tt) : A 

Aw ::= e | [x<-t] : E„ \ Ax : Aw : Tx : A4, 

yAt ::= e X : A 

At ::= e Tx : A i 


Fig. 1. The Strong MAM. 

Weak and Trunk Frames. A frame F may be uniquely decomposed into F = 
F^ : Ft (with abusively denoting concatenation, as we will always do in the 
sequel), where F^ = (ti, tti) : ■ • • : (in,Trn) (with n possibly null) is a weak frame, 
i.e. where no abstracted variable appear, and Ft is a trunk frame, i.e. not of the 
form (f, tt) : F' (it either starts a variable entry or it is empty). More precisely, 
we rely on the alternative grammaid in the third box of Fig. [TJ We denote by 
A{F) the set of variables in F, i.e. the set of x s.t. F = F' : x : F". 

Weak, Trunk, and Well-Formed Environments. Similarly to the frame, the envi¬ 
ronment of a reachable state has a weak/trunk structure. In contrast to frames, 
however, not every environment can be seen this way, but only the well-formed 
ones (reachable environments will be shown to be well-formed). A weak envi¬ 
ronment Aw does not contain any open scope, i.e. whenever in Aw there is a 
scope opener marker {'Wx) then one can also find the scope closer marker (Ax), 
and (globally) the closed scopes of Aw are well-parenthesized. A trunk environ¬ 
ment At may instead also contain open scopes that have no closing marker in 
At (but not unmatched closing markers Ax). Formally, weak Aw, trunk At, and 
well-formed environments A (all the environments that we will consider will be 
well-formed, that is why we note them A) are dehned in the third box in Fig. [TJ 

® We slightly abuse notations: the production Aw : At may produce e : e which is not a 
valid list/frame. To be formal, one should introduce the composition of lists, noted 
Aw o At or At (Aw) that removes empty frames in excess. To ease the reading, instead, 
we overload with composition. 
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Accessing Environments and Meta-level Garbage Collection. Fragments of the 
form Ax : within an environment will essentially be ignored; this is 

how a simple form of garbage collection is encapsulated at the meta-level in the 
decoding. In particular, for a well-formed environment E we define E(x) as: 




e{x) 

= T 

{Ay : E^ :Jy 

E){x) 

■.= E{x) 



E){x) := 

= t 

{Jx 

E){x) 

:= T 


E){x) := 

= E{x) 

iyy 

E){x) 

:= E{x) 


We write A{E) to denote the set of variables bound to T by an environment E, 

i.e. those variables whose scope is not closed with A. 

Lemma 4 (Weak Environments Contain only Closed Scopes). If E^ is 

a weak environment then yl(i?w) = 0. 


Implementation. Variables are meant to be implemented as memory locations, 
so that the environment is simply a store, and accessing it takes constant time 
on RAM. In particular both the list structure of environments and the scope 
markers are used to define the decoding {i.e. for the analysis), but are not meant 
to be part of the actual implementation. This is to kept in mind for the sake of 
the bilinearity of the distillery to be defined. 


Compatibility. In the Strong MAM, both the frame and the environment record 
information about the abstractions in which evaluation is currently taking place. 
Clearly, such information has to be coherent, otherwise the decoding of a state 
becomes impossible. The following compatibility predicate captures the correla¬ 
tion between the structure of the frame and that of the environment. 

Definition 10 (Compatibility F oc E). Compatibility F oc E between frames 
and environments is defined by 

1. Base; e oc e; 

2. Weak Extension; {F^ : Ft) oc (A^ : Et) if Ft oc Et; 

3. Abstraction; {x : F) oc (Jx : E) if F oc E; 

Lemma 5 (Properties of Compatibility). 

1. Well-Formed Environments; if F and E are compatible then E is well- 
formed. 

2. Factorization; every compatible pair F oc E can be written as {F^ : Ft) oc 
(Aw : Ft) with Ft = x : F' iff Ft = Jx : E'; 

3. Open Scopes Match; A{F) = A{E). 

4 . Compatibility and Weak Structures Commute; for all F^ and E^, F oc E 
iff{F^-.F)cx{E^-.E). 
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Invariants. The properties of the machine that are needed to prove its correct¬ 
ness and completeness are given by the following invariants. 

Lemma 6 (Strong MAM invariants). Let s = F\ u\ Tr\E\(pbea state 
reachable from an initial term tg • Then: 

1. Compatibility: F and E are compatible, i.e. F oc E. 

2. Normal Form: 

(1) Backtracking Code; if (p = k, then u is normal, and if tt is non-empty, 
then u is neutral; 

(2) Frame; if F = F' : : F", then W is neutral. 

3. Backtracking Free Variables: 

(1) Backtracking Code; if (p = k then fv{u) C A{F); 

(2) Pairs in the Frame; if F = F' ■. (W, tt') : F” then fv(w) C A[F''). 

4. Name: 

(1) Substitutions; if E = E' : : E" then x is fresh wrt t and E"; 

(2) Markers; if E = E' : Jx : E" and F = F' : x : F" then x is fresh wrt 
E" and E", and E'(jj) = T for any free variable y in E"; 

(3) Abstractions; if Xx.t is a subterm of E, u, tt, or E then x may occur only 
in t and in the closed subenvironment kx : ifw : ▼a^ of E, if it exists. 

5. Closure: 

(1) Environment; if E = E' : [x^t\ : E" then E"{y) ^ _L for all y G f v(t); 

(2) Code, Stack, and Frame; E{x) ^ _L for any free variable in Tt and in any 
code of TT and F. 

Since the statement of the invariants is rather technical, let us summarize 
the dependencies (or lack thereof) of the various points and their use in the 
distillation proof of the next section. 

— The compatibility, normal form and backtracking free variables invariants 
are independent of each other and of the subsequent invariants. 

— The name invariant relies on the compatibility invariant only. It implies the 
determinism of the machine (because in the variable case at most one among 

and applies). 

— The closure invariant relies on the compatibility, name and backtracking free 
variable invariants only. It is crucial for the progress property (because in 
the variable case at least one among -Wg and '^ac 4 applies). 

The proof of every invariant is by induction on the number of transitions leading 
to the reachable state. In this respect, the various points of the statement of each 
invariant are entangled, in the sense that each point needs to use the induction 
hypothesis of one of the other points, and thus they cannot be proved separately. 
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6 Distilling the Strong MAM 


The definition of the decoding relies on the notion of compatible pair. 

Definition 11 (Decoding). Let s = {F,t,TT,E,(p) be a state s.t. F (x E is a 
compatible pair. Then s deeodes to a state eontext Cs and a term s as follows: 


Weak Environments: 

1 := (■> 


[x-i-u] : Sw 
Ax : Sw : Tx : E' 


= ^{{■)[x^u]) 
= E' 


Compatible Pairs: 

t PC e 

(Fw : Ft) PC (gw : Et) 
{x ■. F) Qc (Tx : E) 


b 

(•> 

Ft PC Et ( Fw ( Fw )) 

F cxE dx.l-)) 


Weak Frames: 

i:= (■) 

(w, tt) : Fw := F^(n{u(-))) 


Stacks: 

e := 
u : TT := 


{•) 

7r((-)M> 


States: 

Cs ~ F PC E I-k) 
s := Cs{t) 



The following lemmas sum up the properties of the decoding. 

Lemma 7 (Closed Scopes Disappear). Let F oc E be a compatible pair. 
Then F oc {kx : E^ : Tx : E) = E oc E . 

Lemma 8 (LO Decoding Invariant). Let s = F \u \ tt \ E \ ip be a reachable 
state. Then E oc E and Cs are LO contexts. 

Lemma 9 (Decoding and Structural Equivalence =). 

1. Stacks and Substitutions Commute; if x does not occur free in tt then 
TT_{t[x-^u]) = Tl{t)[x<^u]; 

2. Compatible Pairs Absorb Substitutions; if x does not oeeur free in E then 
E oc E (t\x<^u\) = F oc ([x-s-w] : E){t). 

The next theorem is our first main result. By the abstract approach presented 
in Sect.[3](Theorem[T|), it implies that the Strong MAM is a correct and complete 
implementation of linear LO evaluation to normal form. 

Theorem 3 (Distillation). {Strong MAM, —>-lo, =,_l) is an explicit and reflec¬ 
tive distillery. In particular: 

1. Projection of Principal Transitions; 

(a) Multiplicative; if s s' then s —>- 11 = sf; 

(b) Exponential; if s ~^e s' then s — sf, duplicating the same subterm. 

2. Distillation of Commutative Transitions; 

(a) Garbage Collection of Weak Environments; if s ~^C 4 s' then s =gc sf; 

(b) Equality Cases; if s "^ 01 , 2 , 3 , 5,6 s' then s = sf. 

Proof. Recall, the decoding is defined as {F,t,Tr,E,p) := F oc E iTrCi)). Deter¬ 
minism of the machine follows by the name invariant (Lemma I6I4L and that of 
the strategy follows from the totality of the LO order (Lemma [1]). We list all 
cases but the simple equality ones, which may be found in Appendix ID. 41 
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— Case s = {F,lx.t,u : •k,E,1) (F, i, tt, : -E,T) = s'. Note that 

Cs' = F PC E M is LO by the LO decoding invariant (Lemma |S]) . Moreover 
by the closure invariant fLemma l6l5l) x does not occur in F nor tt, justifying 
the use of Lemma [5] in: 

{F^lx.t^u : 7r,i?, ▼) = F oc E ( u : Tr (lx.t)) 

= F oc E {'kHIxI)u)) 

F oc E (TT(i[x-^u])) 

=LM^Fo^{TL{t)[x^u]) _ 

=L \m^ = (f,t, 7 r, [x^u] :E,'f) 

— Case s = {F,x,'k, E,j) -Wg (F,t°‘,Tr,E,'W) = s' with E{x) =t. As before, 
Cs is LO by Lemma El Moreover, E{x) = t guarantees that E, and thus Cs, 
have a substitution binding x to t. Finally, Cg = Cs'. Then 

s = Cs{x) ^,Cs{r) = s[ 

— Case s = {x : E,t,e, E, k) {E,lx.t, e, kx : E,k) = s'. By Lemma EH] 

X : F (X E, and by Lemma [5l2l E = E^ : Jx : E'. Then 

{x : F) oc E = {x : F) (X (Aw : Ta: : E') = {x : E) oc {Wx : A')( Aw ) 

Since we are in a backtracking phase (a), the backtracking free variables in¬ 
variant ('Lemma l6l3ll|) and the open scopes matching property iLemma lSISI) 
give fv(t) A(A) =l[ 5 I 2 ] A_(Aw : Ta; : A') =^^A{'fx : A'), be. ^ 

does not bind any variable in fv(t). Then E^{t) =|(. t, and 


{x : F,t,e,E, k) = 


“gc 


{x 

: A) oc 

E(t) 



(x 

: A) oc 

(E^ 

Jx 

E')(t) 

(x 

: A) oc 

(Jx : 

E')(E^Ct)) 

(x 

: A) oc 

(Ta; : 

E')(t) 

A 

oc A'(A 

x.t) 




oc (kx 

Aw : 

Jx 

E')(lx.t) 

A 

oc (kx 

E)(l 

x.t) 

= 


= (A, lx.t, e, kx : A, A) 


For what concerns reflectiveness, termination of commutative transitions is 
subsumed by bilinearity (Theorem |4] below). For progress, note that 

1 . the machine cannot get stuck during the evaluation phase: for applications 
and abstractions it is evident and for variables one among -^e and ~^tc 3 
always applies, because of the closure invariant (Lemma I6I5|) . 

2. final states have the form (e, t, e. A, A), because 

(a) by the previous consideration they are in a backtracking phase, 

(b) if the stack is non-empty then applies, 

(c) otherwise if the frame is not empty then either -^ac 4 or applies. 

3. final states decode to normal terms: a final state s = (e,t,e,E, k) decodes 

to s = Eft) which is normal and closed by the normal form (Lemma I6I2I1I) 
and backtracking free variables (Lemma I6I3I1I1 invariants. □ 
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7 Complexity Analysis 

The complexity analysis requires a further invariant, bounding the size of the 
duplicated subterms. For us, u is a subterm of t if it does so up to variable 
names, both free and bound. More precisely: define t~ as t in which all variables 
(including those appearing in binders) are replaced by a fixed symbol *. Then, 
we will consider u to be a subterm of t whenever u~ is a subterm of t~ in the 
usual sense. The key property ensured by this definition is that the size |m| of u 
is bounded by |t|. 

Lemma 10 (Subterm Invariant). Let p be an exeeution from an initial code 
t. Every code duplicated along p using is a suhterm oft. 

Via the distillation theorem (Theorem [3]), the invariant provides a new proof 
of the subterm property of linear LO reduction (first proved in [^). 

Lemma 11 (Subterm Property for ^-ld)- Let d be a -^i^a-derivation from 
an initial term t. Every term duplicated along d using is a subterm oft. 

The next theorem is our second main result, from which the low-level imple¬ 
mentation theorem (Theorem[2]) follows. Let us stress that, despite the simplicity 
of the reasoning, the analysis is subtle as the length of backtracking phases (Point 
2 ) can be bound only globally, by the whole previous evaluation work. 

Theorem 4 (Bilinearity). The Strong MAM is bilinear, i.e. given an execu¬ 
tion p : s s' from an initial state of code t then: 

1. Commutative Evaluation Steps are Bilinear.- \p\^c < (1 + |p|e) • |i|- 

2. Commutative Evaluation Bounds Backtracking; \p\^c < 2 • |p|tc- 

3. Commutative Steps are Bilinear; \p\c < 3 ■ (1 -|- |p|e) ■ |t|. 

Proof. 1. We prove a slightly stronger statement, namely \p\wc + |p|m < (1 + 
|p|e) • |t|, by means of the following notion of size for stacks/frames/states: 

_ |e|:=0 _|a;:F|:=|F| 

\t : Tr\ := \t\ + \Tr\ _ j(t, tt) : F| := IttI- f |F| 

|(F,t,7r,£', T)| := \F\ -f |7r| -f |t| \{F,t,n,E, A)| := |F| -f |7r| 

By direct inspection of the rules of the machine it can be checked that: 

— Exponentials Increase the Size: if s s' is an exponential transition, 
then |s'| < |s| -|- |t| where |t| is the size of the initial term; this is a con¬ 
sequence of the fact that exponential steps retrieve a piece of code from 
the environment, which is a subterm of the initial term by Lemma ITUl 
— Non-Exponential Evaluation Transitions Decrease the Size: if s s' 
with a € {m, Tci, Tc 2 , Tea} then |s'| < |s|; 

— Backtracking Transitions do not Change the Size: if s -^a s' with a € 
{Ac4, Ac5 , Ace} then |s'| = |s|. 
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Then a straightforward induction on \p\ shows that 
|s'| < |s| + |p|e • \t\ - \p\jc - \p\ 


i.e. that \p\fc + \p\m < |s| + \pU ' 1^1 “ Is'l- 

Now note that | • | is always non-negative and that since s is initial we have 
|s| = |t|. We can then conclude with 

IpItc + |p|m < |s| + \p\e ■ |i| — |s^| 

< |s| + \p\e ■ \t\ = |t| + |p|e • \t\ = (1 + |p|e) ' 1^1 

2. We have to estimate |/ci|ac = Ip|ac 4 + Ip|ac 5 + IpIacb- Note that 

(a) Ip|ac 4 < Ip|tc 2 ; as ~^ac 4 pops variables from F, pushed only by -^ 702 ! 

(b) IpIacs < IpIacs, as ->AC 5 pops pairs (t,7r) from F, pushed only by '-^Acei 

(c) |p|ac 6 < IpItc 3 , as -^Ace ends backtracking phases, started only by ~^tc 3 - 
Then \p\tc < Ip|tc 2 + 2 |p|tc 3 < 2|p|yc- 

3. We have \p\c = \p\yc + IpIac FiP .2 IpItc + 2|p|tc =p.i 3 • (1 -I- |p|e) ■ |^|- 
Last, every transition but -^e takes a constant time on a RAM.The renaming 

in a -^e step is instead linear in |t|, by the subterm invariant (Lemma ITUl) . □ 
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A Proofs Omitted from Sect. [2] 

(Linear Leftmost-Outermost Reduction) 

The proofs omitted from Sect. [5] are: 

1. Lemma[Il stating the totality of the -<lo order. The proof is a trivial induc¬ 
tion on t. 

2. Lemma [21 stating the equivalence of LO contexts and LO reduction. It is 
proved in the next subsection. 

3. PropositionlH stating that structural equivalence = is a strong bisimulation. 
The very long and tedious proof is postponed to the last section of the 
appendix, at pagein 

A.l Proof of the Equivalence of Definitions for LO Contexts 
(Lemma [2|) 

Proof. 

=J>) There are three cases: 

(a) Left application: if C = C'{C"t) then clearly C" ^ L{Xx.C'"), otherwise 
C is not the position of the LO redex. 

(b) Right Application: let C = C{wC"), and note w is neutral otherwise C 
is not the position of the LO redex. 

(c) Substitution: if C = C"(C'"[x<-u]) then x ^ lfv(C"') otherwise there is 
an exponential redex of position -<lo C, which would be absurd. 

-4=) Let C the position of the —>ld step in t and suppose, for the sake of 
absurdity, that C ^ C. By definition C -<lo C. We have two cases: 

(a) C -<o C. Then necessarily C identifies a —J-m-redex and we have C = 
C'{L{Xx.C")w). It follows that C is not a LO context, because the left 
application clause is contradicted, absurd. 

(b) C C. Then there is a decomposition C = C"{wC"') with the 
hole of C falling in w. By hypothesis w is neutral. Then w = Co{x) 
and the —^lo step is a —>-e-step substituting on x from a substitution 
in C”, i.e. C" = C'*(C'°[x<-f]) for some contexts C" and C°. Then 
C = C*{C°{wC"')[x^t]) and x € lfv(C'°(r(;C'")), which contradicts 
the substitution clause in the hypothesis that C is a LO context. □ 

B Proofs Omitted from Sect. [3] 

(Distilleries) 

The proof of Lemma El stating that a strong bisimulation = can be postponed, 
is a straightforward induction on the number of rewriting steps in t (—o U =)* u. 

The proof of Theorem [H stating the correctness and completeness of the 
implementation for a reflective distillery, follows. The simulation is a simple 
proof by induction using the postponement lemma, while the reverse simulation 
is a similar induction following from the properties of a reflective distillery and 
by determinism of —o. 
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Proof (of Theorem^). 

1. Strong Simulation: by induction on the length of p. If p is empty then the 

empty derivation satisfies the statement. If p is given by cr : s s" 

followed by s" s'. By i.h. there exists e : s — o*= s(f s.t. |cr|p = |e|. Cases 
of s" s': 

(a) Principal: by definition of a distillery, s(f_ —o= s(_, and so s —o*= s(f_ —o= 
sf_. By the postponement lemma (Lemma [S]) the use of = between 
and —o can be postponed, obtaining a term u and a derivation d s. t. 
d : s —o* u —o= s(_ with |d| = |e| + 1 =t.h. |cr|p + 1 = \p\p. 

(b) Commutative: by definition of a distillery, s(f_= sf , and so d : s ^* = 
s(!_ = s(_ verifies \d\ = \e\ =i,h. |cr|p = \p\p. 

2. Reverse Strong Simulation: we use nfc(s) to denote the commutative normal 
form of s, that exists and is unique because by hypothesis terminates 
and the machine is deterministic. The proof is by induction on the length of 
d. If d is empty then the empty execution satisfies the statement. 

If d is given by e : s u followed hy u —o t then by i.h. there is an execution 
cr : s -w* s" s.t. u = s(f_ and |cr|p = |e|. Note that since commutative transi¬ 
tions are distilled away, tr can be extended as tr' : s s" nfc(s") with 
u = nfc(s") and |cr'|p = |e|. Now, ii u ^ t then nfc(s") cannot be a final 
state, otherwise there would be a contradiction with the progress hypothesis 
for a reflective distillery. Then nfc(s") s' (the transition cannot be com¬ 
mutative because nfc(s") is a commutative normal form). Now, by definition 
of distillery there exists w s.t. nfc(s") ^ w = s(_. But u = nfc(s") ^ w, so 
by Lemma [3] there exists t' s.t. u —o t' = w = s(_. Now the determinism of ^ 
implies t' = t, allowing us to conclude. □ 

C Proofs Omitted from Sect. [5] 

(The Strong Milner Abstract Machine) 

First of all. Lemma |4] (namely: If is a weak environment then A{E^) = 0) 
is proved by a straightforward induction on the definition of weak environment 
E^. 

Then we prove the properties of compatibility (next subsection), and the 
invariants (Lemma [6]). The proof of every invariant is studied separately, to 
stress the dependencies wrt to other invariants. 

C.l Proof of the Properties of Compatibility (Lemma [S]) 

Proof. The first three points (well-formed environments, factorization, open scopes) 
are by induction on the definition of compatible pair, and well-formed environ¬ 
ments is omitted because it is evident. The fourth case is rather a corollary 
of factorization, and will be treated after the induction. The base case of the 
inductive reasoning is immediate for both factorization and open scopes. Two 
inductive cases: 





22 


1. Weak Extension: 

(a) Factorization: the decomposition is immediate, and the correspondence 
about the first variable name follows from the i.h.. 

(b) Open Scopes: by i.h., A{Ft) = A{Et). By LemmaHl 2l(£’w) = 0, and by 
definition vl(-Fw) = 0- Then A{F) = 2l(Fw) U A{Ft) = A{Ft) = A{Et) = 
A{E^)OA{Et) = A{E). 

2. Abstraction 

(a) Factorization: by definition x : F and Jx : E are a trunk frame Ft and 
a trunk environment Ft, respectively, given that : is overloaded with 
composition, and weak trunk and environments can be empty we have 
Ft =: Ft, and similarly for Ft, proving the decomposition property. The 
correspondence about the first variable name is evident. 

(b) Open Scopes: A{x : F) = {x} U A{F) =i,h. {x} U A(E) = A{x : E). 

Compatibility and Weak Structures Commute: 

1. =>) By factorization (Point [2]), F = F^^ : Ft and E = E',^ : Ft. By definition 

of compatibility, if F oc if is derivable then Ft oc Ft is also derivable. Now 

Fw : F^ and F^ : are weak structures and so by the weak extension rule 

Fw ■ F = Fw : F(( : Ft oc F^ : F^, : Ft = F^ : F. 

2. <=) By definition of compatibility, if F^ : F = Fw : F(( : Ft cx Fw : F^, : 

Ft = Fw : F is derivable then Ft oc Ft is also derivable, and F = F^ : Ft oc= 

Fw : Ft = F by applying the weak extension rule. □ 


C.2 Proof of the Compatibility Invariant (Lemma [6lfT|) 

Proof. By induction on the length of the number of transitions to reach s. The 
invariant trivially holds for an initial state. For a non-empty evaluation sequence 
we list the cases for the last transitions. We only deal with those that act on the 
frame or on the environment, as the others immediately follows from the i.h.. 

— Case {F,lxl,u : tt, F, T) {F,t,TT,[x^u] : F, T). By i.h. F and F are 
compatible, i.e. F = (Fw : Ft) oc (Fw : Ft) = F with Ft oc Ft. Since [x^'u\ : 
Fw is still a weak environment, we have (Fw : Ft) oc ([a;<-?l] : Fw : Ft), i.e. 
F oc ([a;<-u] : F). 

— Case {F,lx.t,e, E,j) ~^tc 2 {x : F,t,e,Jx : F, T). By i.h. F oc F. By 
definition of compatibility we obtain {x : F) oc (Jx : E). 

— Case (a; : F,t, e, E, k) {F, lx.t, e, kx : E, k). By i.h., {x : F) oc E. By 

the factorization property of compatible pairs (Lemma l5l2l) F = Fw : Jx : E' 
with F oc E' . Now kx : E = kx : Fw : Ta; : E' = F^, : E' . Then, from 
F oc F' by definition F oc (F(^, : F'), i.e. F oc (kx : E). 

— Case ((f, tt) : F,u, e, E, A) -^acs (F,tu, n, E, A). By i.h., ((t, tt) : F) oc F, so 
F oc F by Lemma [5]4l 

— Case (E,t,u : Tr,E,k) -^Ace ((fj"^) ■ F,u,e,E,'W). By i.h., we have that 

E oc E which implies {(t,Tr) : F) oc F by Lemma EEl □ 
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C.3 Proof of the Normal Form Invariant (Lemma [6l l^ 

Proof. The invariant trivially holds for an initial state e | t | e | e | T. For a 
non-empty evaluation sequence we list the cases for the last transitions. We only 
consider the cases for backtracking phases (A) or when the frame changes, the 
others "^m) ~^e) are omitted because they follow immediately from the 

i.h.. 

- Case {F, lx.t, e, E, T) ^tc 2 ■ Fyt, Ci ▼s; : E, T). 

1. Trivial since ip ^ k. 

2. Suppose X : F can be written a.s x : F' : {u, tt') : F". Then by i.h. m is a 
neutral term. 

- Case (F, a:, TT, i?, T) ~^tc 3 (F, x, 7 r,F, A) with E{x) = T. Note that x S 
A{E), because E{x) = T. 

1 . X is a normal and neutral term. 

2. It follows from the i.h., as F is unchanged. 

- Case (x : F,t, e, E, A) ^ac 4 (F, lx.t, e. Ax : E, k). 

1. By i.h. we know that t is a normal form. Then lx.t is a normal form, the 
stack is empty, so we conclude. 

2. It follows from the i.h.. 

- Case ((t, tt) : F,u, e, E, k) -^acs {F,tu, tt, E, A). 

1. By i.h. we have that m is a normal term while by Point [5] of the i.h. t is 
neutral. Therefore tu is a neutral term. 

2. It follows from the i.h.. 

- Case {E,t,u : tt,E, A) ((Ltt) : F,u,e,E, ▼). 

1. Trivial since (p ^ k. 

2 . t is a neutral term by Point [T] of the i.h.. □ 

C.4 Proof of the Backtracking Free Variables Invariant (Lemma [6l[3|) 

Proof. The invariant trivially holds for an initial state e | to | e | e | ▼ if to is 
closed and well-named. For a non-empty evaluation sequence we list the cases for 
the last transitions. We omit the transitions involving only states in evaluating 
phase, as for them everything follows immediately from the i.h.. 

- Case (F, y, n, E, T) (F, y, tt, E, k) with F(y) = T. 

1. Backtracking Code: by hypothesis E{y) = T, and so y € A{E) =j^ [ 5 | 3 ] 
A{F). 

2. Pairs in the Frame: it follows from the i.h.. 

- Case {y : F,w,e,E, k)-~^^cAF,lyjW,e, ky : E, k). _ _ 

1. Backtracking Code: by i.h. fY{w) C A{y : E) and so fv{Xy.w) = fv('u;) \ 
{x} = 4(F). 

2. Pairs in the Frame: it follows from the i.h.. 

- Case ((uJ,7r) : F,r,e,E,k) ->ac 5 iF,wf,TT,E,k). 

1. Backtracking Code: by i.h. fv(r) C yl((?ii,7r) : F) = A{F) and by Point[2] 
of the i.h. fviw) C A{F), and so fv(uJr) C /1(F). 

2. Pairs in the Frame: it follows from the i.h.. 

- Case {F,w,f : n,E, k) {{w,^) : F,f,e,E,j). 

1. Backtracking Code: nothing to prove. 

2. Pairs in the Frame: by Point[I]of the i.h. fv(uJ) C /1(F), the rest follows 

from the i.h.. □ 
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C.5 Proof of the Name Invariant (Lemma [6l l4|) 

Proof. The invariant trivially holds for an initial state e | Tuo | e | e | T if uJq is 
closed and well-named. For a non-empty evaluation sequence we list the cases 
for the last transitions: 

— Case {F,wf,TT,E,j) ^yci {F,w,r : Tr,E,j). Every point follows from its 
i.h.. 

— Case {E, ly.W, r : Tr,E,j) (F, W, tt, [y^r] : E,j). 

1. Substitutions: for [y-s-r] it follows from Point[3]of the i.h., for E it follows 
from the i.h.. 

2. Markers: note that by Point |3] of the i.h. y simply cannot occur in E, 
the rest follows from the i.h.. 

3. Abstractions: it follows from the i.h.. 

— Case {E,ly.W,e,E,'W) iv ■ F,w,e,Jy : E,^). 

1. Substitutions: it follows from the i.h.. 

2. Markers: for y it follows from Point |3] of the i.h., the rest follows from 
the i.h.. 

3. Abstractions: it follows from the i.h.. 

— Case {E,y,Tr, E,'W) {F,w'^ ,tt,E,'W). It follows by the i.h. and the fact 

that in I(J“ the abstracted variables are renamed (wrt w) with fresh names. 

— Case {E,y,TT,E,’W) {F, y, TT, E, a). Every point follows from its i.h.. 

— Case (y : F,w,e,E, k) ~^ac 4 {E,ly.w,e,ky : E,k). By the compatibility 
invariant (Lemma I6I1|) (y : F) oc E, and by the factorization property of 
compatible pairs (Lemma I5I2|) F = Fw : Ty : E'. 

1. Substitutions: it follows from the i.h.. 

2. Markers: it follows from the i.h.. 

3. Abstractions: for Xy.w it holds because by Point [5] of the i.h. y does 
not appear in F nor in Ft (it may however occur in F^, but this is 
taken into account by the statement). For the other abstractions Point 
follows from the i.h.. 

— Case ((W, tt) : E,r,e,E, k.) {F,Wr,Tr, E, k). Every point follows from 

its i.h.. 

— Case {E,w,f : n,E,k) ~^ac6 ((^i^r) ^ F,f,e,E,l). Every point follows 

from its i.h.. □ 

C.6 Proof of the Closure Invariant (Lemma [6l[^ 

Proof. The invariant trivially holds for an initial state e | to | e | e | ▼ if is 
closed and well-named. For a non-empty evaluation sequence we list the cases 
for the last transitions: 

— Case {F,Wf,TT,E,j) ~^tci {F,w,f : 7r,F,T). Every point follows from its 
i.h.. 

— Case {F,ly.w,r : 7r,F, T) {F,w,tt, [y^r] : F, T). 

1. Environment: for [y<-r] it follows from Point [2] of the i.h., for the rest it 
follows from the i.h.. 
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2. Code, Stack, and Frame: for y is evident, as [y<-r] : E is clearly defined 
on y, for the rest it follows from the i.h.. 

- Case {F,ly.W,e,E,'W) iv ■ F,w,e,Jy : E,^). 

1. Environment: it follows from the i.h.. 

2. Code, Stack, and Frame: for y is evident, as Jy : E is clearly defined on 
y, for the rest it follows from the i.h.. 

- Case {F,y,TT,E,’W) {F,w°‘, tt, E,j). 

1. Environment: it follows from the i.h.. 

2. Code, Stack, and Frame: for w°‘ it follows from Point [T] of the i.h., as 
W appears in the environment out of all closed scopes (otherwise the 
transition would not take place). The rest follows from the i.h.. 

- Case (F, y, tt, E, T) ~^tc 3 (F, y, tt, F, A) with F(y) = T. 

1. Environment: it follows from the i.h.. 

2. Code, Stack, and Frame: it follows from the i.h.. 

- Case {y : F,w,e,E, k) {F,ly.w,e, ky : E,k). By the compatibility 

invariant (Lemma I6I1|) {y : F) (x E, and by the factorization property of 
compatible pairs lLemma l5l2|l F = F^ : ▼?/ : E'. 

1. Environment: it follows from the i.h.. 

2. Code, Stack, and Frame: note that 

(a) F.,^ does not bind any variable occurring free in w by Lemma I6I3I11 

(b) E,f, does not bind any variable occurring free in F by Lemma I6I4I21 
and 

(c) the stack is empty by hypothesis. 

Then F^, does not bind any free variable in the code, in the stack, nor 
in the frame, and we conclude using the i.h., because kxE^; : Jx : E' by 
definition is defined on a variable z iff F' is. 

- Case ((uJ,7r) : F,r,e,E,k) iF,wf,TT,E,k). 

1. Environment: it follows from the i.h.. 

2. Code, Stack, and Frame: it follows from the i.h.. 

- Case {F,w,r : ■n,E, k) ((w,7r) : F,r,e,F, ▼). 

1. Environment: it follows from the i.h.. 

2. Code, Stack, and Frame: it follows from the i.h.. □ 

D Proofs Omitted from Sect. [6] 

(Distilling the Strong MAM) 

D.l Proof of Closed Scopes Disappear (Lemma IT]) 

Proof. Essentially it follows from kx : Fw : Tx : F = F. Precisely, by Lemma [5l2] 
F and F have, respectively, the forms F^ : Ft and F(^, : Ft. Now, 


F oc {kx : Fw : Ta; : F) = (Fw : Ft) oc {kx : Fw : Ta; : F^, : Ft) 

= Ft (X Et j kx : Fw : Tx : F4,( Fw ) ) 

= Ft oc Ft (F:(Fw)) 

= (Fw : Ft) oc (F; : Ft) = F oc F 


□ 
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D.2 Proof of the Leftmost-Outermost Invariant (Lemma [8|) 

For the invariant we need the following lemma. 

Lemma 12 (Compatible Pairs Decode to Non-Applicative Contexts). 

Let be a weak frame, ifw o, weak environment, and F oc E a compatible pair. 
Then F^, E^, , and F oc E are contexts that are not applicative, i.e. not of the 
form C{Lt). 

Proof. The fact that F^^, and E^, are not applicative is an immediate induction 
over their structure. For F oc E we reason by induction on the compatibility of 
F and E. The base case e oc e = {■) is evident. Inductive cases: 

1. Weak Extension, i.e. (i^w ■ Ft) oc (ifw : Ft) with Ft oc Et. By i.h. Ft oc Et 
is not applicative and both F^ and E,^ are not applicative. By definition, 
(Fw : Ft) oc (Fw : Ft) = Ft oc Ft (Fw(Fw)), which is then not applicative. 

2. Abstraction, i.e. (x : F) oc (Tx : E) withF oc F. Immediate, as F oc E ilx.i-)) 

is not applicative. □ 

We can now prove that the decoding of the data-structures of a reachable 
state is a LO context. 

Proof (Leftmost-Outermost Invariant, Lemma\^. 

We prove that F oc E is a LO context, the fact that Cs is a LO contexts then 
easily follows, as Cs := F oc E M. 

The invariant trivially holds for an initial state e | to I e I e I For a 
non-empty evaluation sequence we list the cases for the last transitions. We 
omit the cases for which the environment and the frame do not change {i.e. 

,'^e, "^Tca), as for them the statement follows from the i.h.. 

— Case (F, lx.t,u : tt, E, T) (F, t, n, [x<-u] : F, T). By i.h. F oc F is LO. Let 
F = Fw : Ft, so that E oc E = Et oc E { Fv, ). Note that, by the name invariant 
(Lemma [6I4I3L the eventual occurrences of x are all in t and so x ^ fv(Fw), 
and in particular x ^ Ifv(Fw). Then, Ft oc F ( Fw [x<-m]) is LO: the conditions 
of Definition I6I6I are satisfied either because F oc F = Ft oc F ( Fw ) is LO or 
because x ^ Ifv(Fw). 

— Case (F, lx.t, e, E, T) ^tc 2 (2: : F,t, e, Tx : F, T). By i.h. we have F oc E is 
LO and by Lemma [T2] E oc E is not applicative, so (x : F) oc (Tx : F) = 
F oc E ilx.i-)) is LO (it satisfies the conditions of Definition I6I6I because 
F oc E does). 

— Case (x : F,t,e,E, k) {F,lx.t,e. Ax : E,A). By the compatibility 

invariant (Lemma I6I1|1 (x : F) oc F, and by the factorization property of 
compatible pairs (Lemma I5I2|) F = F^ : Tx : E'. By definition 

(x : F) oc (Fw : Tx : Ft) = F oc Ft ((x.Fw) 

that by i.h. is LO. Now, F oc Ft is LO, as it satisfies the conditions of Defi¬ 
nition [511] because F oc E does. We conclude by noticing that the compatible 
pair of the target state satisfies F oc (Ax : F) = F oc ( Ax : F^ : Tx : Ft) =^[7] 
F oc Ft. 
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- Case ((t, tt) : F,u,e,E, A) {F,tu,Tr,E, A). By i.h. we have that ((t, tt) : E) oc E 

is LO and by frame part of the backtracking normal form invariant fLemma l6l3l2l) 

t is neutral. By definition, ((t, tt) : E) (x E = E oc E (Tr(t(-))), Then, E rx E — 
being a prefix of ((t, tt) : E) x E —verifies the conditions of Definition l6l6l and 
is LO. 

— Case {F,t,u : tt,E, A) -^Acg : F,u,€,E, T). Note that 

1. F X E is LO by i.h., 

2. F X E is not applicative by Lemma [T^ 

3. f v(t) C A{E) by the backtracking free variables invariant fLemma |6l3lll) . 

4. t is a neutral term by the normal form invariant fLemma l6l2lll) . because 
the stack at the left-hand side is not empty. 

Note that Point |3] guarantees that x ^ fv(t), and so in particular x ^ Ifv(t), 
for any ES in E (and so in F x E ). Then E x E (TT(i(-))) is LO (be¬ 

cause it verifies the conditions of Definition 16161 by the listed points), that 
is to say ((t, tt) : E) x E is LO. □ 


D.3 Proof of the Properties of the Decoding wrt Structural 
Equivalence = (Lemma [9|) 

We here present a more general statement than the one in the paper. The reason 
is that the proof of the second point of the lemma { Compatible Pairs Absorb 
Substitutions) actually requires a further lemma (Weak Frames and Substitutions 
Commute below) that is omitted from the statement in the paper because it is 
not used anywhere else. 

Lemma 13 (Decoding and Structural Equivalence =). 

1. Stacks and Substitutions Commute.' ifx does not occur free in tt then TT{t[x<^u]) = 
Tr{t)[x'<^u]; 

2. Weak Frames and Substitutions Commute; if x does not occur free in TW 

then ^{t[x^u]) = (t) [x<-n]; 

3. Compatible Pairs Absorb Substitutions; if x does not occur free in F then 
F X E (t\x^u\) = F X ([a;<-it] : E){t). 

Proof. 

1. Stacks and Substitutions Commute: by induction on tt. Cases: 

(a) Empty Stack, i.e. tt = e. Then e{t[x<-u]) = t[x^u] = e{t)[x^u]. 

(b) Non-Empty Stack, i.e. tt = w : tt' . Then 

w : tt' {t\x^u\) = TTf_{t[x-^u])w 
= i.h. TT!_{t)[x<^u]w 
=@r TT!_{t)w[x->^u] = W : tt' {f)[x-^Tl\ 

Note that the proof uses only =@i. 

2. Weak Frames and Substitutions Commute: by induction on Ev. Cases: 

(a) Empty Weak Frame, i.e. EW = e. Then e(t[a;<-M]) = = e(t)[a:<-u]. 
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(b) Non-Empty Weak Frame, i.e. = {w,Tr) : F^. Then 
(W,tt) : F^ {t[x^u\) = ^{]j_(w(t[x^u]))) 

= ®r ^(TL{{wt)[x^u])) 

=p^K{K{(wt))[x^u]) 

=^.h. ^{K{wt))[x^u] = (w, tt) : Fl^ {t)[x^u] 

Note that the proof uses only =@r and =@i (because of the previous point). 
3. Compatible Pairs Absorb Substitutions: By Lemma I5I2I we can decompose F 
and E in their weak and trunk parts, obtaining: 

F PC E (t[x-i-u]) = (Fw : Ft) oc (Fw : Ft(t[a;<-u])) 

= Ft oc Ft (Fw(Fw(t[x<-u]))) 

= p[g| Ft oc Ft (Fw(Fw(t) [a:<-u])) 

= Ft (X Ft ( [a:^-»] : E^{ F^{t))) 

= (Fw : Ft) oc ([cc^it] : Fw : Et){t) = F oc ([a:^u] : E){t) 

□ 


D.4 Cases Omitted from the Proof of the Distillation Theorem 
(Theorem [3]) 

Proof. We list here the equality cases omitted from the main proof in the paper. 

- Case (F, tu, TT, F, ▼ ) d (F, t, u : tt, F, ▼ ). 

{F,tu, TT, F, T) = F oc E iiTitu)) = F (X F l u : Tr (i)) = (F, t, u : tt, F, T) 

- Case (F, lx.t, e, E, T) : F, t, e, Tx : F, ▼). 

(F, lx.t, e, E, T) = F oc E (lx.t) 

= (x : F) oc (Tx : E){t) = (x : F,t, e, Tx : F, ▼) 

- Case (F,x,7r,F, T) ~^yc 3 (F, x, tt, F, A). 

(F, X, TT, F, T) = F oc E lnlx)) = (F, x, tt, F, A) 

- Case {(t,TT) : F,u,e,E, k.) (F, tu, tt, F, A). 

((t, tt) : F, u, e, F, A) = (t, tt) : F oc F(u) = F oc E lndu)) = (F, fu, tt, F, A) 

- Case {F,t,u : tt,E, A) ((^,7^) : F,u,e,E, ▼). 

{F,t,u : TT, E, a) = F oc E { u : 7r (t)) 

= F (x E iTritu)) 

= ((f,7r) : F) oc E{u) = ((t,7r) : F,u,e,E, T) 


□ 
































E Proofs Omitted from Sect. [3 
(Complexity Analysis) 
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The proof of the subterm invariant (Lemma I10|l for the machine is in the next 
subsection, and it is obtained as a corollary of a more general invariant. The 
subterm property for ^ld iLemma lllH is an immediate consequence of Lemma lTUl 
and the case of exponential transition in the distillation theorem (Theorem [3]) . 

E.l Proof of the Subterm Invariant ILemma I10|l 

The subterm invariant as formulated in the paper is a consequence of the last 
point of the following more general invariant, because -^e duplicates codes from 
the environment, here proved to be subterms of the initial term. 

Lemma 14 (Subterm Invariant). Let s = F\ u\ tt\E\(p be a state 
reachable from the initial code f. Then 

1. Evaluating Code.' if ip = 1 , then u is a subterm oft; 

2. Stack; any code in the stack tt is a subterm oft; 

3. Frame; if F = F' : {w,n') : F", then any code in tt' is a subterm oft; 

4- Global Environment; if E = E' : : E", then w is a subterm oft; 

Proof. Let us use to for the initial term. The invariant trivially holds for the 
initial state e | to I e I e I In the inductive case we look at the last transition: 

— Case {F,tu,TT, E,W) {F,t,u : tt, E,W). 

1. Evaluating Code: By i.h., tu is a subterm of to, so t is also a subterm of 
to. 

2. Stack: by i.h., tu is a subterm of to, so u is also a subterm of to. Moreover, 
any piece of code in tt is a subterm of to by i.h.. 

3. Frame: it follows from the i.h., since the frame F is unchanged. 

4. Environment: it follows from the i.h., since the environment E is un¬ 
changed. 

— Case {F, lx.t,u : tt,E,’W) {F,t, tt, [x<^u] : E,’W). 

1. Evaluating Code: note that t is a subterm of Ixl. 

2. Stack: note that any piece code in tt is also in n : tt. 

3. Frame: it follows from the i.h., since F is not modified. 

4. Environment: the new environment is of the form : E. Pieces of 

code in E are subterms of to by i.h.. Moreover u is the top of the stack 
u : TT so it is also a subterm of to. 

— Case {F, lx.t, e, E, T) '^jc 2 '■ F,t, e, Jx : E, ▼). 

1. Evaluating Code: note that t is a subterm of IxI which is in turn a 
subterm of to by i. h.. 

2. Stack: trivial since the stack tt is empty. 

3. Frame: any pair of the form {u,tt') in the frame x : F is also already 
present in F, so by i.h. any piece of code in tt' is a subterm of to. 


4. Environment: it follows from the i.h., since the environment E is un¬ 
changed. 

Case {F, x, tt, E, T) {F,t°‘, tt, E, T). 

1. Evaluating Code: note that t is bound by E. By i.h., it is a subterm of 
to- So is also a subterm of to- 

2. Stack: it follows from the i.h., since the stack tt is unchanged. 

3. Frame: it follows from the i.h., since the frame F is unchanged. 

4. Environment: it follows from the i.h., since the environment E is un¬ 
changed. 

Case {F,x,tt,E,'W) {F,x,tt, E, A). 

1. Evaluating Code: trivial since tp ^ 1 . 

2. Stack: it follows from the i.h., since the stack tt is unchanged. 

3. Frame: it follows from the i.h., since the frame F is unchanged. 

4. Environment: it follows from the i.h., since the environment E is un¬ 
changed. 

Case (x : F,t, e, E, k) -^^04 {E, lx.t, e. Ax : E, A). 

1. Evaluating Code: trivial since tp ^ 1 . 

2. Stack: trivial since the stack is empty. 

3. Frame: any pair of the form (u, tt) in the frame F is also in the frame 
X : F, so any piece of code in tt is a subterm of to by i.h.. 

4. Environment: any substitution of the form in the environment 

Ax : E is also in the environment E, so u is a subterm of to by i.h.. 

Case {{t,TT) : F,u,e,E, A) {F,tu,TT, E, A). 

1. Evaluating Code: trivial since Lp ^ 1 . 

2. Stack: the stack tt occurs at the left-hand side in the frame (t, tt) : F, so 
by i.h. we know that any piece of code in tt is a subterm of to- 

3. Frame: any pair (w, tt) in the frame F is also in the frame (i, tt) : F, so 
any piece of code in tt must be a subterm of to - 

4. Environment: it follows from the i.h., since the environment E is un¬ 
changed. 

Case {F,t,u : tt,E, A) {(t,TT) : F,u,e,E, ▼). 

1. Evaluating Code: note that u is an element of the stack at the left-hand 
side of the transition, so by i.h. u is a subterm of to. 

2. Stack: trivial since the stack is empty. 

3. Frame: any pair in the frame (t, tt) : F \s also in the frame F except for 
(t, tt). Consider a piece of code r in the stack tt. It is trivially also a piece 
of code in the stack u : tt, so by i.h. we have that r is a subterm of to. 

4. Environment: it follows from the i.h., since the environment E is un¬ 
changed. □ 
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F Proof that Structural equivalence is a Strong 
Bisimnlation (Proposition [1]) 


We first need an auxiliary lemma iLemma llGI) . which uses an alternative, induc¬ 
tive definition of LO contexts: 


Definition 12 (iLO Contexts). A context C is inductively LO (or iLO) if a 
judgment about it can be derived using the following inductive rules: 


{■) is iLO 


(ax-iLO) 


C is iLO C ^ L{\x.C') 
Ct is iLO 


( @l-iLO) 


C is iLO 
Xx.C is iLO 


(l-iLO) 


t is neutral _ C is iLO 

tC is iLO 


( @r-iLO) 


C is iLO X ^ Ifv(C') 
is iLO 


(ES-iLO) 


Lemma 15. A context C is iLO iff it is LO. 


Proof. An immediate induction on C. 


□ 


Lemma 16. If C is a LO context and C does not bind any of the variables in 
fv(M), then C{t[x^u\) = C{t)[x^u\. 

Proof. A context is LO iff it is iLO iLemma ITS]) . The property is then proved 
by induction on the derivation that C is an iLO context. □ 

Proof (Structural Equivalence = is a Strong Bisimulation, Propositional}). 

Let ^ be the symmetric and contextual closure of the axioms by which = 
is defined, i.e. 



t[x*^u] 

— gc 

t 

if 

X 


fv(t) 

x<- 

■u] [y^w] 

—com 

[x-f-u] 

if 

y 


fv(M) and X ^ fv(ri;) 

X-I- 

■u] [y^w] 

= [■] 

t[x^u[y^w]] 

if 

y 


fv(t) 


t[x-^u] 

=dup 






{Ix 

:.t)[y^u] 

=A 

lx.t[y^u] 

if 

X 


fv(u) 

{t 

u)[x^w] 

=@1 

u 

if 

X 


fv(M) 

b 


=@r 

t u[x^w\ 

if 

X 


fv(t) 


Note that = is the reflexive-transitive closure of It suffices to show that 
^-Lo C —>-Lo=, preserving the kind of step (multiplicative/exponential). The 
fact that is a bisimulation then follows by induction on the number of ^ 
steps. 

Let w ^ t —J>Lo u. The proof of w — u goes by induction on the context 
under which the step t — >-lo u takes place. In the following proof note that: 

1. —steps are sent to —steps, 

2. —i>e steps are sent to —i>e steps, and 

3. no step is ever duplicated. 
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Cases: 

1. Base case 1: multiplicative root step, t = L{lx.t')u' L{t'[x^u']). If 
the ^ step is internal to t', internal to u', or internal to the argument of one 
of the substitutions in L, then the pattern of the ^ redex does not overlap 
with the n-m step, and the proof is immediate, as the two steps commute. 
Otherwise, we consider every possible case of 

(a) Garbage collection, =gc. The garbage collected substitution must be one 
of the substitutions in L, i.e. L must be of the form L'{L"[y^w']). Then: 

L'{L"{lx.t')[y^z])u' -^-o L'{L"{t'[x^u'])[y^z]) 

=gc =gc 

L'{L"{lx.t'))u' -- - - - o L'{L"{t'[x^u'])) 

(b) Commutation of independent substitutions, =com • The substitutions that 

are commuted must be both in L, i.e. L must be of the form L' {L"[y^w'][z^r']). 
Then: 

L'{L"{lx.t')[y^w'][z^r'])u' 

=com 

L'{L''{lx.t')[z^r'][y^w'])u' 

(c) Composition of substitutions, =[.]. The substitutions that are composed 
must be both in L, i.e. L must be of the form L' {L"[y^w'][z^r']). Then: 

L'{L"{lx.t')[y^w'][z^r'])u' 

=[•] 

L'{L"{lx.t')[y^w'[z^r']])u' 

(d) Duplication, =dup- The duplicated substitution must be one of the sub¬ 
stitutions in L, i.e. L must be of the form L'{L"[y^w']). Then: 

L'{L"{lx.t')[y^w'])u' -^-o L'{L"{t'[x^u'])[y^w']) 

=dup =dup 

L'{{L''{lx.t')\^^^[y^w'\[z^w'\)u'-'-oL'{{L''{t'[x^^^^^^ 

(e) Commutation with abstraction, =\. The commuted substitution must be 
the innermost substitution in L, i.e. L must be of the form L'{[y-^w']), 
and: 

L'{{lx.t')[y^w'])u' -°-o L'{t'[x<^u'][y^w']) 

= X =cora 

L'{lx.t'[y-^w'])u' -°-o L'{t'[y-i^w'][x-<^u']) 


^ L'{L"{t'[x^u'])[y^w'][z^r']) 
=[•] 

- o L'{V{f \x^u']) [y^w'[z^r']]) 


^ L'{L"{t'[x^u'])[y^w'][z^r']) 

— com 

- o L' {L" {f [x^u']) Iz^r'] ly^w ']) 
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Note that the diagram can be also read from the bottom-up for a reverse 
application of the =a rule. In order to be able to apply =coiii, note that 
X ^ fv('u;') by application of the =a rule, and that y ^ fv(t6') by the 
bound variable convention. 

(f) Left commutation with application, =@i. The only possibility is that the 
outermost substitution of L commutes with the application taking part 
in the —step. That is, L must be of the form L'[y^w'] and: 

L'{lx.t')\y^w']u' --o L'{t'[x^u'])[y^w']u' 

=@i = 

{V{lx.t') u')[y‘^w'\ --- o L'{t'[x^u'\)[y<^w'\ 

(g) Right commutation with application, =@r- Note that every =@i- (and 
=@r~^) redex in {lx.t')Lu' must be internal to either t', u', or the argu¬ 
ment of one of the substitutions in L. We have already argued that in 
these cases the steps commute. 

2. Base case 2: exponential root step, t = C{x)\x^t'] i-^e C{t')\x^t']. 

If the substitution that is contracted by the exponential step does not take 
part in the pattern of the ^ step, it is immediate to check that the property 
holds. More precisely, suppose that C{x)[x<^t'\ ^ C{x)[x^t"], where C 
and t" result respectively from C and f by a single step of Note that we 
have that either C ^ C and t' = t" or vice-versa. Then: 

C{x)\x^t'] --o C{t')[x^t'] 

C'{x)[x^t"] --- <0 C{t'')[x^t''] 

Note that when commutation affects t' (be. if we are in the case in which 
C = C and t' ^ t"), then the right-hand side of the diagram must be 
closed by two ^ steps: one for each copy of t'. 

So we may assume that the substitution that is contracted by the exponential 
step does take part in the pattern of the ^ step. We consider every possible 
case of 

(a) Garbage collection, =gc- The garbage collected substitution cannot erase 
the contracted occurrence of x, since (7 is a LO context, and it cannot 
go inside substitutions. Two subcases, depending on the position of the 
hole of C with respect to the node of the garbage collected substitution: 
i. If the hole of C lies inside the body of the garbage collected substi¬ 
tution, be. C = C{C"[y^u']) with y ^ fv(C'"(a;)), then: 

C{C"{x)[y^u'])[x^t'] -^-o C{C{t')[y^u'])[x^t'] 

=gc =gc 

C'(C"(x}}[x^t'j - C'(C"(t'}}lx^t'] 

Note that y ^ ±v{C"{t')) since we may assume that y ^ fv(t') by 
the bound variable convention. 
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ii. Otherwise, the hole of C must be disjoint from the node of the 
garbage collected substitution, i. e. there must be a two-hole context 
C such that: 

C = C'{{-),u'[y^w']) 
where y ^ fv(u'). Then: 

C{x,u'[y^w'])[x^t'] -°-o C{f ,u'[y^w'])[x^t'] 

=gc =gc 

C{x,u')[x<^t'] ---o C{f ,u')[x<^t'] 

(b) Commutation of independent substitutions, =com- Note that the con¬ 
tracted occurrence of x cannot be inside the argument of any of the 
commuted substitutions, since C is a LO context and it cannot go inside 
substitutions. Since the contracted substitution is commuted, we have 
that C must be of the form C'[y^u'] and the situation is: 

C(x)[y<^u'][x^t'] -^-o C{t')[y^u'][x^t'] 

= com =com 

C'{x)[x^t'][y<^u'] -°--o C'{t')[x->^t'][y<^u'] 

(c) Composition of substitutions, =[.]. Note that the contracted occurrence 
of x cannot be inside the argument of any of the two substitutions that 
take part in the =[.] step, since C is a LO context and it cannot go inside 
substitutions. We know that the contracted substitution takes part in the 
=[.] step. We consider two subcases, depending on whether the =[.] rule 
is applied from left to right or from right to left, since the situation is 
not symmetrical. 

i. If the =[.] step is applied from left to right, then C must be of the 
form C'[y^u'] with x ^ fv(C"(a:)). This is a contradiction, so this 
case is not actually possible. 

ii. If the =[.] step is applied from right to left, then t' must be of the 
form t"[y->^u'] and: 

C{x)[x^t''[y^u']] -°-o C{t''[y^u'])[x^t''[y^u']] 

C{x)[x<^t"][y^u’] ---o C{t'’)[x*^t'’][y^u'] 

To close the right-hand side of the diagram, we are left to show that: 

C{t"[y^u’])[x^t”[y^u']] = C{t")[x^t"][y^u'] 

First note that C is a LO context, and that, by the bound variable 
convention, C does not bind any of the variables in f^(u'). By re¬ 
sorting to Lemma 1161 this allows us to commute the substitution 
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that: 

C{t"[y^u'])[x^t''[y^u']] 

= C'(t")[y^u'][x^t"[y<-u']] by Lemma [THl 

C{n[y^u'][x^t''][y^u'] 

= C{t")[y-i-u'][x<-t"{y^z}][z<-u'] renaming y to z 

=com c{t'') [x^t''{y^z}] [y^u'] [z-^u'] 

=dup C{t")[x^t"][y^u'] 

(d) Duplication, =dup- Note that the contracted occurrence of x cannot be 
inside the argument of any of the two substitutions that take part in the 
=dup step, since C is a LO context and it cannot go inside substitutions. 
We consider two cases, depending on whether =dup is applied from left 
to right or from right to left: 

i. From left to right: the contracted occurrence of x is either renamed 
to y or left untouched as x. Let z denote x or y, correspondingly. In 
both cases we have: 

C{x)[x^t'] -°-o C{t')[x<-t'] 

=dup =dup 

C[vu (z) [y^f] — - - - -o c'mx {t') [y^f] 

ii. From right to left: then C is of the form \y-^t'], where C has 
no occurrences of x, and: 

^-o C[^]^{t')[y<^t'][x^t'] 

=dup =dup 

C'{y)[y^t'\ -“-o C'{t')[y^t'\ 

(e) Commutation with abstraction, =\. Then C is of the form ly.C and: 

{ly.C{x))[x^t'] -°-o {ly.C{t'))[x^t'] 

=x =\ 

ly.C{x)[x^t'\ ---o ly.C{t')[x<^t'\ 

(f) Left commutation with application, =@i. Then C is of the form C u' and: 


{C{x) u')[x<-t'] 


-o {C{t') u')[x^t'] 


=@i =@1 

C(x) [x^t'\ u' ---o C{t') [x^t'\ u' 

(g) Right commutation with application, =@r • Then C is of the form u' C 
and: 

{u' C{x))[xC'] -°-o {u' C{t'))[x<^t'] 


=@r 

u' C{x)[xC'\ 


- o u' C{t')[x*^t'] 
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3. Inductive case 1: inside an abstraction. Suppose that t = lx.t' 
lx.u' = u. We consider two subcases, depending on whether the ^ step is 
internal to the body of the abstraction, or involves the outermost abstraction: 

(a) If the application of the ^ step is internal to t', we have by i.h.: 

t' -o u' 

-Or' 

so is immediate to conclude that: 

lx.t' -o lx.u' 

lx.w' -o lx.r' 

(b) If the outermost abstraction takes part in the ^ step, then a =a step 
must have been applied, so t' must be of the form t"[y^u']. We consider 
two further subcases, depending on whether the commuted substitution 
is involved in the reduction step: 

i. If the reduction step t"[y->^u'] w' is an exponential, and the com¬ 
muted substitution is the one contracted by the exponential 

step, then the situation is exactly like in case I2el f Commutation with 
abstraction for exponential steps), by reading the diagram from the 
bottom up. 

ii. Otherwise, note that there cannot be a multiplicative step at the 
root, and that the step cannot be internal to it', as LO contexts do 
not go inside substitutions. Therefore the reduction step must be 
internal to t" and the situation is: 

lx.t"[y-i-u'] -o lx.u"[y*^u'] 

=A =A 

{lx.t")[y<^u'] -o {lx.u")[y->^u'] 

4. Inductive case 2: left of an application. Suppose that t = t' q ^ u' q = 
It. If the application of the ^ step is internal to t', we may immediately 
conclude by i.h. (analogous to case I5al) . The interesting case is when the 
outermost application takes part in the ^ step. There are two possibilities, 
depending on whether a =@i step or a =@r step is applied: 

(a) =@i step. Then t' must be of the form t"[x^w']. We consider two further 
subcases, depending on whether the commuted substitution is involved 
in the reduction step: 

i. If the reduction step t"[x-^w'] —>■ r' is an exponential step and the 
commuted substitution [x-e-ic'] is also the one contracted by the expo¬ 
nential step, then the situation is exactly like in case[ 23 (Te/i( commu¬ 
tation with application for exponential steps), by reading the diagram 
from the bottom up. 
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ii. Otherwise, note that the reduction step cannot be internal to w', 
since LO contexts do not go inside substitutions, so it must be in¬ 
ternal to t" and the situation is: 

t"[x*^w'] q -O u”[x^w'] q 

=@i =@i 

{t” q)[x^w'] -o {u" q)[x<^w'] 

(b) =@r step. Then q must be of the form q'[x^w'\ and the situation is: 
t' q'[x-<^w'] -o u' q'[x-^w'] 

=@r =@r 

{t’q')[x^w'\ - {u'q')[x^w'\ 

5. Inductive case 3: right of an application. Suppose that t = qt' ^ qu' = 
u. If the application of the ^ step is internal to t', we may immediately 
conclude by i.h. (analogous to case|3al). The interesting case is when the 
outermost application takes part in the ^ step. There are two possibilities, 
depending on whether a =@i step or a =(@r step is applied: 

(a) =@i step. Then q must be of the form q'[x^w'\ and the situation is: 

q'[x<^w'] t' -O q'[x^w'] u' 

=@i =@i 

{q't')[x^w'\ - {q'u')[x^w'\ 

(b) =@r step. Then t' must be of the form t"\x-^w']. We consider two further 
subcases, depending on whether the commuted substitution is involved 
in the reduction step: 

i. If the reduction step t"[x-^w'] —>■ r' is an exponential step and the 

commuted substitution is also the one contracted by the ex¬ 

ponential step, then the situation is exactly like in case {Right 
commutation with application for exponential steps), by reading the 
diagram from the bottom up. 

ii. Otherwise, note that the reduction step cannot be internal to w', 
since LO contexts do not go inside substitutions, so it must be in¬ 
ternal to t" and the situation is: 

qt''[x-^w'] -o qu''[x-<^w'] 

= @r =@r 

{qt")[x^w'] -o {qu")[x^w'] 

6. Inductive case 4: left of a substitution. Suppose that t = t'\x-^q\ 
u'[x-^q\ = u. If the application of the step is internal to t', we may 
immediately conclude by i.h. (analogous to case l3al) . The interesting case is 
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when the outermost substitution node takes part in the ^ step. There are 
four possibilities, depending on whether a =gc step, a =coiii step, a =[.] step, 
or a =dup step is applied: 

(a) =gc step. The reduction step cannot be internal to q, since LO contexts 
may not go inside substitutions, so the step must be internal to t', and 
closing the diagram is trivial: 

t'[x<^q] -o u'[x-<^q] 

=gc =gc 

-o u' 


Note that if a; ^ then x ^ fv(u') by the usual property that 

reduction does not create free variables. 

(b) =com step. Then t' must be of the form t''[y^w'] with x ^ fv(r(;'). 
We consider two further subcases, depending on whether the commuted 
substitution is involved in the reduction step: 

i. If the reduction step t"[y<^w'] —> r' is an exponential step and the 

commuted substitution is also the one contracted by the ex¬ 

ponential step, then the situation is exactly like in case I2bl (Commu- 
tation of independent substitutions for exponential steps), by reading 
the diagram from the bottom up. 

ii. Otherwise, note that the reduction step cannot be internal to w', 
since LO contexts may not go inside substitutions, so it must be 
internal to t", and the situation is: 

t"[y-<^w'][x<^q\ -O u''[y-<^w'][x<^q\ 

= com =coni 

t"[x’^q\[y-^w'] -o u''[x’^q\[y-^w'] 


(c) =[.] step. Two cases, depending on whether the =[.] step is applied from 
left to right or from right to left: 

i. =[.] is applied from left to right. Then t' must be of the form t''[y<^w'] 
with X 0 fv(t"). We consider two further subcases, depending on 
whether the commuted substitution is involved in the reduction step: 
A. If the reduction step t"[y^w'] —>• r' is an exponential step and the 
commuted substitution [y-^w'\ is also the one contracted by the 


exponential step, then the situation is exactly like in case 2(c)ii 


B. 


{Composition of substitutions for exponential steps), by reading 
the diagram from the bottom up. 

Otherwise, note that the reduction step cannot be internal to w', 
since LO contexts may not go inside substitutions, so it must be 
internal to t”, and the situation is: 


t"[y^w'][x^q] 


o u"[y<^w'][x-^q\ 


t"[y^w'[x^q]] 


o u"[y-^w'[x-^q\] 
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Note that if x ^ then x ^ fv(u"), by the usual fact that 

reduction does not create free variables, 
ii. =[.] is applied from right to left. Then q must be of the form q'[y-^w']., 
and the reduction step must be internal to t', so the situation is: 

t'[x<-q'[y<-r(;']] -o u'[x^q'[y-<^w'\\ 

=[•] =[■] 
t'[x^q'][y^w'] -o u'[x<^q'][y<^w'] 

(d) =dup step. Two cases, depending on whether the =dup step is applied 
from left to right or from right to left: 

i. =dup is applied from left to right. Then the reduction step is internal 
to t' and closing the diagram is immediate: 

t'[x<^q\ -o u'[x'f-g] 

=dup =dup 

[^^ 9 ] [y^q] - <3 [x^q] [y^q] 

ii. =dup is applied from right to left. Then t' must be of the form t"[yf^q]. 
We consider two further subcases, depending on whether the com¬ 
muted substitution is involved in the reduction step: 

A. If the reduction step t"[y-^q\ r' is an exponential step and 
the affected substitution [y^q] is also the one contracted by the 
exponential step, then t" must be of the form {y) and the 
situation is: 

c[^\,{y)[y^q\[x^q\ -^—o c[^^,^{q)[y^q\[x^q\ 

=dup =dup 

C'{y)[y^q\ - ^-----oC'{q)[y^q\ 

B. Otherwise, note that the reduction step cannot be internal to g, 
since LO contexts may not go inside substitutions, so it must be 


by reading the diagram from the bottom up. 

□ 


internal to t". The situation is then exactly like in case Lemma 6(d)i 









